I am sure this is an oldie, but let me ask it again. I have a PIX 506E running 6.3.4. It is terminiating PIX to PIX VPN connections for our enterprise. I have endusers who need to connect to a customer network through the PIX 506E via a Nortel Conntivity VPN Client. I have very loose outbound access-list (switching this to a default deny as we speak) and have allowed AH and ESP inbound to the outside interface from the remote VPN Server. I keep getting this error:
305006: portmap translation creation failed for protocol 50
I am PATing everything to the address of the outside interface of the PIX.
Thanks for the resposne. I just mentioned the PAT to get the point across that I was not statically NATing the internal users to their own IPs. The PAT is in place for all outbound traffic. I have read that you can only use the fixup for ESP if the PIX isn't also terminating other IPSEC VPN Connections (which it is). It is part of a VPN meshed network. Lastly, I have read that even if the PIX weren't terminating VPN Connections, that the fixup would only allow 1 VPN Connection from an internal client at a time. And that won't work because I have 14 users who need to access this remote network. Have I been mis-lead or have I mis-read. Thanks for the help !
Yes .. you are correct .. the fixup only allows one IPsec connection at the same time and can't be applied when you are already terminating a VPN tunnel on the PIX in fact if you try to type in the fix up you will receive an error message .. What you could try is finding out whether the client supports nat-transaparency and which ports does it use for it .. For example a cisco client uses UDP 4500 or TCP 10000 by default then your could try creating an access-list which allows udp 4500, 500, and TCP 10000 ( in the case of the cisco client ) .. this needs to be applied to the outside and inside interfaces on the inbound direction.
The issue is basically incompatibility between ESP and NAT/PAT .. but the transparency feature will encapsulate the ESP packet on a UDP header and the PAT should work .. I have not done this myself and so please let us know how you go.
Please let me know how you go .. and rate it if it helps ..
Well, as mentioned there is issues between PAT and IPSEC. If those who wants VPN to the nortel are limited, you can create static NAT's for them and then allow ESP and AH to their IP addresses. This would work 100%. However, this depend on how many are they and if this is feasible for you.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...